aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2018-03-29 14:54:04 -0500
committerGerrit Code Review2018-03-29 14:54:04 -0500
commit9a76c280d64099411c6ebbbdf5e410232cce9c0e (patch)
treefdd8d50099cff211d2aa6d88301602132e947c40
parent2c36eb6d91730ff77dd26393763a93d6ca1eb202 (diff)
parent832a7042b0f977b6b0eead33b0265813832b06ed (diff)
downloadsystem-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.tar.gz
system-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.tar.xz
system-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.zip
Merge "Suppress harmless denials for file creation in cgroupfs."
-rw-r--r--private/init.te5
-rw-r--r--private/zygote.te5
-rw-r--r--public/domain.te7
3 files changed, 17 insertions, 0 deletions
diff --git a/private/init.te b/private/init.te
index 54648650..50b1c94c 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
25# Sometimes we have to write to non-existent files to avoid conditional 25# Sometimes we have to write to non-existent files to avoid conditional
26# init behavior. See b/35303861 for an example. 26# init behavior. See b/35303861 for an example.
27dontaudit init sysfs:dir write; 27dontaudit init sysfs:dir write;
28
29# Suppress false positives when using O_CREAT
30# to open a file that already exists.
31# There's a neverallow rule for this in domain.te
32dontaudit init cgroup:file create;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dc..ab707f15 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {
134 134
135# Do not allow access to Bluetooth-related system properties and files 135# Do not allow access to Bluetooth-related system properties and files
136neverallow zygote bluetooth_prop:file create_file_perms; 136neverallow zygote bluetooth_prop:file create_file_perms;
137
138# Suppress false positives when using O_CREAT
139# to open a file that already exists.
140# There's a neverallow rule for this in domain.te
141dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 0027efa3..06526482 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1331,6 +1331,13 @@ neverallow domain {
1331 sysfs_type 1331 sysfs_type
1332}:dir { add_name create link remove_name rename reparent rmdir write }; 1332}:dir { add_name create link remove_name rename reparent rmdir write };
1333 1333
1334# cgroupfs directories can be created, but not files within them
1335# TODO(b/74182216): Remove the installd allow when we're sure it's not used
1336neverallow {
1337 domain
1338 -installd
1339} cgroup:file create;
1340
1334dontaudit domain proc_type:dir write; 1341dontaudit domain proc_type:dir write;
1335dontaudit domain sysfs_type:dir write; 1342dontaudit domain sysfs_type:dir write;
1336 1343